b' Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\n\n\nREVIEW OF MEDICARE CONTRACTOR\n     INFORMATION SECURITY\n   PROGRAM EVALUATIONS FOR\n       FISCAL YEAR 2011\n\n    Inquiries about this report may be addressed to the Office of Public Affairs at\n                             Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                  Daniel R. Levinson\n                                                   Inspector General\n\n                                                     January 2014\n                                                     A-18-13-30100\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at https://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                      EXECUTIVE SUMMARY\n\n The evaluations of the Medicare contractor information security program were adequate\n in scope and were sufficient, but the Centers for Medicare & Medicaid Services should\n continue to ensure that all Medicare contractor findings are remediated.\n\nWHY WE DID THIS REVIEW\n\nEach Medicare contractor must have its information security program evaluated annually by an\nindependent entity. These evaluations must address the eight major requirements enumerated in\nthe Federal Information Security Management Act of 2002 (FISMA). The Social Security Act\n(the Act) also requires evaluations of the information security controls for a subset of systems\nbut does not specify the criteria for these evaluations. The Inspector General, Department of\nHealth and Human Services, must submit to Congress annual reports on the results of these\nevaluations, to include assessments of their scope and sufficiency. This report fulfills that\nresponsibility for fiscal year (FY) 2011.\n\nOur objectives were to assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and report the results of those evaluations and assessments.\n\nBACKGROUND\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added to the Act\ninformation security requirements for Medicare administrative contractors (MACs), fiscal\nintermediaries, and carriers, which process and pay Medicare fee-for-service claims. To comply\nwith these requirements, the Centers for Medicare & Medicaid Services (CMS) contracted with\nPricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs, fiscal\nintermediaries, and carriers using a set of agreed-upon procedures.\n\nThe Act also requires evaluations of the information security controls for a subset of systems but\ndoes not specify the criteria for these evaluations. To satisfy this requirement, CMS expanded\nthe scope of its evaluations to test segments of the Medicare claims processing systems hosted at\nthe Medicare data centers, which support each of the MACs, fiscal intermediaries, and carriers.\n\nWHAT WE FOUND\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nwere sufficient. PwC reported a total of 127 gaps at 11 Medicare contractors for FY 2011, which\nwas a decrease of 23 percent from FY 2010. Gaps are defined as the differences between\nFISMA or CMS core security requirements and the contractors\xe2\x80\x99 implementation of them.\n\nAssessment of Scope and Sufficiency\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in the Act.\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   i\n\x0cResults of Contractor Information Security Program Evaluations\n\nThe results of the contractor information security program evaluations are presented in terms of\ngaps.\n\nAt the 11 contractors in FY 2011, which covered all MACs, fiscal intermediaries, and carriers,\nPwC identified a total of 127 gaps, which it consolidated into 95 findings. The contractors are\nresponsible for developing a corrective action plan for each finding. The number of gaps per\ncontractor ranged from 5 to 17 and averaged 12. The most gaps occurred in the following\nFISMA control areas: policies and procedures to reduce risk (41 gaps at 11 contractors), testing\nof information security controls (35 gaps at 11 contractors), incident response (17 gaps at 11\ncontractors), and security program and system security plans (14 gaps at 7 contractors).\n\nThe number of gaps decreased by 23 percent when compared with the results for FY 2010. CMS\nis responsible for tracking each finding until it is remediated.\n\nCONCLUSION\n\nThe scope of the work and sufficiency of documentation for all reported gaps were sufficient for\nthe 11 Medicare contractors reviewed by PwC. While the total number of gaps identified at the\nMedicare contractors has decreased from the previous year, deficiencies remain in the FISMA\ncontrol areas tested. CMS should continue to ensure that all gaps are remediated by the\nMedicare contractors.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nCMS had no additional comments to the draft report.\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   ii\n\x0c                                                     TABLE OF CONTENTS\n\n\nINTRODUCTION ...........................................................................................................................1\n\n          Why We Did This Review ...................................................................................................1\n\n          Objectives ............................................................................................................................1\n\n          Background ..........................................................................................................................1\n                The Medicare Program ............................................................................................1\n                Medicare Prescription Drug, Improvement, and Modernization Act of 2003 .........1\n                CMS Evaluation Process for Fiscal Year 2011........................................................2\n\n          How We Conducted This Review........................................................................................3\n\nFINDINGS             ..................................................................................................................................3\n\n          Assessment of Scope and Sufficiency .................................................................................3\n\n          Results of Medicare Contractor Information Security Program Evaluations ......................3\n                 Policies and Procedures To Reduce Risk.................................................................5\n                 Testing of Information Security Controls ................................................................5\n                 Incident Detection, Reporting, and Response ..........................................................6\n                 Security Program and System Security Plans ..........................................................7\n\nCONCLUSION ................................................................................................................................7\n\nCMS COMMENTS .........................................................................................................................7\n\nAPPENDIXES\n\n          A: Audit Scope and Methodology ......................................................................................8\n\n          B: List of Gaps by Federal Information Security Management Act of 2002\n              Control Area and Medicare Contractor........................................................................9\n\n          C: Percentage Change in Gaps per Medicare Contractor ................................................10\n\n          D: Results of Medicare Contractor Evaluations for Federal Information\n               Security Management Act of 2002 Control Areas with the Greatest\n               Number of Gaps ......................................................................................................11\n\n          E: CMS Comments ..........................................................................................................16\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)                                                   iii\n\x0c                                            INTRODUCTION\n\nWHY WE DID THIS REVIEW\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) requires\nthat each Medicare contractor have its information security program evaluated annually by an\nindependent entity. These evaluations must address the eight major requirements enumerated in\nthe Federal Information Security Management Act of 2002 (FISMA). The Social Security Act\n(the Act) also requires evaluations of the information security controls for a subset of systems\nbut does not specify the criteria for these evaluations. The Inspector General, Department of\nHealth and Human Services, must submit to Congress annual reports on the results of these\nevaluations, to include assessments of their scope and sufficiency. This report fulfills that\nresponsibility for fiscal year (FY) 2011.\n\nOBJECTIVES\n\nOur objectives were to assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and report the results of those evaluations.\n\nBACKGROUND\n\nThe Medicare Program\n\nThe Centers for Medicare & Medicaid Services (CMS) administers Medicare. Medicare is a\nhealth insurance program for people age 65 or older, people under age 65 with certain\ndisabilities, and people of all ages with end-stage renal disease. In FY 2011, Medicare paid more\nthan $474 billion on behalf of more than 49 million Medicare beneficiaries. CMS contracts with\nMedicare Administrative Contractors (MACs), fiscal intermediaries, and carriers to administer\nMedicare benefits paid on a fee-for-service basis. In FY 2011, 11 distinct entities served as\nMACs, fiscal intermediaries, and carriers for Medicare Parts A and B to process and pay\nMedicare fee-for-service claims.\n\nMedicare Prescription Drug, Improvement, and Modernization Act of 2003\n\nThe MMA added information security requirements for MACs, fiscal intermediaries, and carriers\nto section 1874A of the Act. 1 (See 42 U.S.C. \xc2\xa7 1395kk-1.) Each MAC, fiscal intermediary, and\ncarrier must have its information security program evaluated annually by an independent entity\n(the Act \xc2\xa7 1874A(e)(2)(A)). This section requires that these evaluations address the eight major\nrequirements enumerated in the FISMA. (See 44 U.S.C. \xc2\xa7 3544(b).) These requirements,\nreferred to as \xe2\x80\x9cFISMA control areas\xe2\x80\x9d in this report, are:\n\n        1. periodic risk assessments;\n\n\n1\n The MMA contracting reform provisions added to section 1874A of the Act replace existing fiscal intermediaries\nand carriers with MACs, which are competitively selected. Until all MACs are in place, the requirements of\nsection 1874A also apply to fiscal intermediaries and carriers.\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)                1\n\x0c        2. policies and procedures to reduce risk;\n\n        3. security program and system security plans;\n\n        4. security awareness training;\n\n        5. testing of information security controls;\n\n        6. remedial actions;\n\n        7. incident detection, reporting, and response; and\n\n        8. continuity of operations planning.\n\nSection 1874A(e)(2)(A)(ii) of the Act requires that the effectiveness of information security\ncontrols be tested for an appropriate subset of Medicare contractors\xe2\x80\x99 information systems.\nHowever, this section does not specify the criteria for evaluating these security controls.\n\nAdditionally, section 1874A(e)(2)(C)(ii) of the Act requires us to submit to Congress annual\nreports on the results of such evaluations, including assessments of their scope and sufficiency.\n\nCMS Evaluation Process for Fiscal Year 2011\n\nCMS developed agreed-upon procedures (AUP) for the program evaluation on the basis of the\nrequirements of section 1874A(e)(1) of the Act, FISMA, information security policy and\nguidance from the Office of Management and Budget and the National Institute of Standards and\nTechnology (NIST), and the Government Accountability Office\xe2\x80\x99s (GAO) Federal Information\nSystems Controls Audit Manual (FISCAM). In FY 2011, 11 distinct entities served as MACs,\nfiscal intermediaries, and carriers. The independent auditors, PricewaterhouseCoopers (PwC),\nunder contract with CMS, used the AUPs to evaluate the information security programs at the 11\nentities. Many of the entities had multiple contracts with CMS to fulfill their responsibilities as\nMedicare fiscal intermediaries, carriers, A/B MACs, and Durable Medical Equipment MACs.\nAs a result, PwC issued separate reports for 20 MACs, fiscal intermediaries, and carriers.\n\nTo comply with the section 1874A(e)(2)(A)(ii) requirement to test the effectiveness of\ninformation security controls for an appropriate subset of contractors\xe2\x80\x99 information systems, CMS\nincluded in the scope of its AUP evaluations testing of segments of the Medicare claims\nprocessing systems hosted at the Medicare data centers, which support each of the MACs, fiscal\nintermediaries, and carriers. Medicare data centers are used for \xe2\x80\x9cfront-end\xe2\x80\x9d preprocessing of\nclaims received from providers and \xe2\x80\x9cback-end\xe2\x80\x9d issuing of payments to providers after claims\nhave been adjudicated. PwC performed additional testing to eliminate the need to contract with\nanother entity to perform the assessments that had previously been performed at the fiscal\nintermediaries, carriers, and MAC data centers.\n\nThe results of the contractor information security program evaluations are presented in terms of\ngaps or findings, which are defined as differences between FISMA or CMS core security\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   2\n\x0crequirements and the contractor\xe2\x80\x99s implementation of the requirements. In some instances, PwC\ndetermined that gaps involving the contractor\xe2\x80\x99s internal control and its operations did not rise to\nthe level of a finding, so they were noted as an observation. PwC assigned impact levels to each\nof the findings. The contractors are responsible for developing a corrective action plan for each\nfinding, and CMS is responsible for tracking all corrective action plans and ensuring that the\nfindings are remediated.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe evaluated the FY 2011 results of the independent evaluations of the Medicare contractors\xe2\x80\x99\ninformation security programs. Our review did not include an evaluation of internal controls.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from PwC. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\nAppendix A contains the details of our audit scope and methodology.\n\n                                               FINDINGS\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nwere sufficient. PwC reported a total of 127 gaps, which resulted in 95 findings and 32\nobservations.\n\nASSESSMENT OF SCOPE AND SUFFICIENCY\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in section 1874A(e)(1) of the\nAct.\n\nRESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM\nEVALUATIONS\n\nAs shown in Table 1, PwC identified a total of 127 gaps at the 11 Medicare contractors. The\nnumber of gaps per contractor ranged from 5 to 17 and averaged 12. See Appendix B for a list\nof gaps per control area by contractor.\n\n                          Table 1: Range of Medicare Contractor Gaps\n                                                   Number of Contractors With\n                  Number of         Total       0    1-5      6\xe2\x80\x9310    11-15   16+\n         FY       Contractors       Gaps       Gaps Gap(s) Gaps       Gaps    Gaps\n        2010          11             166        0     0         1       5      5\n        2011          11             127        0     1         3       5      2\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   3\n\x0cThe total number of gaps reported decreased by 23 percent (166 in FY 2010 to 127 in FY 2011).\nWhile the number of contractors with 6 to 10 gaps increased by 2, the number of contractors with\n16 or more gaps decreased by 3. Eight contractors had fewer gaps in FY 2011, and three\ncontractors had more gaps. See Appendix C for the FY 2010 to FY 2011 percentage change in\ngaps per Medicare contractor.\n\nTable 2 summarizes the gaps found in each FISMA control area in FYs 2010 and 2011. Only\ntwo of the eight FISMA control areas had an increase in gaps for FY 2011, with an increase of\nonly one or two gaps.\n\nTable 2: Gaps by Federal Information Security Management Act Control Area in FY 2011\n                                                                                     No. of Contractors\n                                        Impact Levels           No. of Gaps          With One or More\n                                          of FISMA               Identified                Gap(s)\n             FISMA                      Control Area           FY         FY           FY         FY\n           Control Area                 Subcategories         2010       2011         2010       2011\n                                           High &\nPeriodic risk assessments                                       5             1            5         1\n                                           Medium\nPolicies and procedures to reduce\n                                              High             39            41          11          11\nrisk\nSecurity program and system                 High &\n                                                               27            14          11          7\nsecurity plans                              Medium\nSecurity awareness training                 Medium             14             5            8          4\nTesting of information security\n                                              High             34            35          11          11\ncontrols\nRemedial actions                             High               5             4           2           4\nIncident response                            High              22            17          10          11\n                                            High &\nContinuity of operations planning                              20            10            9         8\n                                            Medium\n Total                                                       166           127\n\nThe Medicare contractor information security program evaluations covered several subcategories\nwithin each FISMA control area. The \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Table 2 refers to the possible\nlevel of adverse impact that could result from successful exploitation of gaps in any of the\nsubcategories depending on the organization\xe2\x80\x99s mission and criticality and the sensitivity of the\nsystems and data involved. The actual ratings assigned to the subcategories were all high or\nmedium impact and were PwC\xe2\x80\x99s assessments. Individual findings were assigned an overall risk\nlevel on a subjective basis by PwC after considering the impact and likelihood of occurrence.\nHowever, as stated in NIST Special Publication (SP) 800-115, Technical Guide to Information\nSecurity Testing and Assessment, section 4.3, it is difficult to identify the risk level of individual\nvulnerabilities because they rarely exist in isolation.\n\nThe following sections discuss the four FISMA control areas containing the most gaps. See\nAppendix D for descriptions of each subcategory tested for the four control areas.\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)        4\n\x0cPolicies and Procedures To Reduce Risk\n\nAccording to NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations:\n\n         \xe2\x80\xa6 the management of risk is a key element in the organization\xe2\x80\x99s information\n         security program and provides an effective framework for selecting the\n         appropriate security controls for an information system\xe2\x80\x94the security controls\n         necessary to protect individuals and the operations and assets of the organization.\n         The risk-based approach to security control selection and specification considers\n         effectiveness, efficiency, and constraints taking into account applicable federal\n         laws, Executive orders, directives, policies, regulations, standards, or guidelines.\n\nAll 11 Medicare contractors had from 2 to 4 gaps each. In total, PwC identified 41 gaps in this\narea. Following are examples of gaps in policies and procedures to reduce risk:\n\n    \xe2\x80\xa2    System configuration checklists did not include specific security settings that complied\n         with CMS requirements.\n\n    \xe2\x80\xa2    Systems operating in the contractor\xe2\x80\x99s environment did not have the latest patches 2\n         installed.\n\n    \xe2\x80\xa2    Procedures to assess whether malicious software protection mechanisms have been\n         installed and were up to date and operating effectively were not fully consistent with\n         CMS requirements.\n\nIneffective policies and procedures to reduce risk could jeopardize an organization\xe2\x80\x99s mission,\ninformation, and information technology assets. Without adequate configuration standards and\nthe latest security patches, systems may be susceptible to exploitation that could lead to\nunauthorized disclosure of data, data modification, or the unavailability of data.\n\nTesting of Information Security Controls\n\nThe effectiveness of information security policies, procedures, practices, and controls should be\ntested and evaluated at least annually (NIST SP 800-53, Recommended Security Controls for\nFederal Information Systems and Organizations, Control CA-2). Security testing enables\norganizations to measure levels of compliance in areas such as patch management, password\npolicy, and configuration management (NIST SP 800-115, section 2.3). Changes to an\napplication should be tested and approved before being put into production (FISCAM,\nsection 3.3).\n\nAll 11 Medicare contractors had from 2 to 4 gaps each related to testing of information security\ncontrols. In total, 35 gaps were identified in this area.\n\n\n2\n  A patch is a piece of software designed to correct security and functionality problems in software programs and\nfirmware.\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)                  5\n\x0cFollowing are examples of gaps in testing of information security controls:\n\n    \xe2\x80\xa2   The contractor\xe2\x80\x99s configuration management process had not been fully executed for all\n        platforms reviewed.\n\n    \xe2\x80\xa2   The contractor\xe2\x80\x99s system configurations for platforms reviewed did not comply with CMS\n        requirements.\n\n    \xe2\x80\xa2   Security weaknesses were identified as part of the internal network penetration testing.\n\nWithout a comprehensive program for periodically testing and monitoring information security\ncontrols, management has no assurance that appropriate safeguards are in place to mitigate\nidentified risks.\n\nIncident Detection, Reporting, and Response\n\nThe Executive Summary of NIST SP 800-61, Computer Security Incident Handling Guide, states\nthat:\n\n        \xe2\x80\xa6 computer security incident response has become an important component of\n        information technology programs. Security-related threats have become not only\n        more numerous and diverse but also more damaging and disruptive. New types of\n        security-related incidents emerge frequently. Preventative activities based on the\n        results of risk assessments can lower the number of incidents, but not all incidents\n        can be prevented. An incident response capability is therefore necessary for\n        rapidly detecting incidents, minimizing loss and destruction, mitigating any\n        weaknesses that were exploited, and restoring computing services.\n\nAll 11 Medicare contractors had 1 or 2 gaps in incident response. In total, PwC identified 17\ngaps in this area. Following are examples of gaps in incident response:\n\n    \xe2\x80\xa2   The process for reviewing system logs did not comply with CMS requirements.\n\n    \xe2\x80\xa2   Reportable incidents were not reported within the CMS-required timeframe.\n\n    \xe2\x80\xa2   Policies and procedures for the review of audit logs did not contain detailed guidance\n        about the process, identify tools to be used to support the process, or indicate the CMS\n        requirements to accomplish log review.\n\nKeeping the number of incidents reasonably low is very important to protect the business\nprocesses of the organization. If security controls are insufficient, high volumes of incidents\nmay occur, which could overwhelm the incident response team. This could lead to slow and\nincomplete responses and negative business effects (e.g., extensive damage to computer systems,\nperiods without computer service, and periods when data are unavailable).\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   6\n\x0cSecurity Program and System Security Plans\n\nAn agency should ensure its information security policy is sufficiently current to accommodate\nthe information security environment and the agency mission and operational requirements\n(NIST SP 800-100, Information Security Handbook: A Guide for Managers, section 2.2.5).\nOrganizations must screen employees before granting access to information and information\nsystems (NIST SP 800-53, Control PS-3); they should revoke system access immediately\nfollowing an employee termination (NIST SP 800-53, Control PS-4); and \xe2\x80\x9csystem security\nplan[s] should provide an overview of a system\xe2\x80\x99s security requirements and describe the controls\nin place or planned for meeting those requirements\xe2\x80\x9d (Executive Summary of NIST SP 800-18,\nGuide for Developing Security Plans for Federal Information Systems).\n\nFour of the eleven Medicare contractors had no identified gaps in security program and system\nsecurity plans, while the remaining 7 had from 1 to 3 gaps each. In total, PwC identified 14 gaps\nin this area.\n\nFollowing are examples of gaps in security program and system security plans:\n\n    \xe2\x80\xa2   System access for terminated users was not suspended or removed within CMS-required\n        timeframes.\n\n    \xe2\x80\xa2   The contractor\xe2\x80\x99s transfer procedures did not define the time period for access removal or\n        reassignment.\n\n    \xe2\x80\xa2   The contractor\xe2\x80\x99s system security plan did not identify a complete list of platforms that\n        supports Medicare operations.\n\nIf information security program requirements are not implemented and enforced, management\nhas no assurance that established system security controls will be effective in protecting valuable\nassets, such as information, hardware, software, systems, and related technology assets that\nsupport the organization\xe2\x80\x99s critical missions.\n\n                                            CONCLUSION\n\nThe scope of the work and sufficiency of documentation for all reported gaps were sufficient for\nthe 11 Medicare contractors reviewed by PwC. While the total number of gaps identified at the\nMedicare contractors has decreased from FY 2010, deficiencies remain in the FISMA control\nareas tested. CMS should continue to ensure that all gaps are remediated by the Medicare\ncontractors.\n\n                                          CMS COMMENTS\n\nCMS had no additional comments to the draft report. We have included CMS\xe2\x80\x99s comments in\ntheir entirety in Appendix E.\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   7\n\x0c                    APPENDIX A: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe evaluated the FY 2011 results of the independent evaluations and technical assessments of\nMedicare contractors\xe2\x80\x99 information security programs. Our review did not include an evaluation\nof internal controls. We performed our reviews of PwC working papers at CMS headquarters in\nBaltimore, Maryland, and at Office of Inspector General regional offices from February through\nApril 2013.\n\nMETHODOLOGY\n\nTo accomplish our objectives, we performed the following steps:\n\n        \xe2\x80\xa2   To assess the scope of the evaluations of contractor information security programs,\n            we determined whether the AUPs included the eight FISMA control requirements\n            enumerated in section 1874A(e)(1) of the Act.\n\n        \xe2\x80\xa2   To assess the sufficiency of the evaluations of contractor information security\n            programs, we reviewed PwC working papers supporting the evaluation reports to\n            determine whether PwC sufficiently addressed all areas required by the AUPs. We\n            also determined whether all security-related weaknesses were included in the PwC\n            reports by comparing supporting documentation with the reports. We determined\n            whether all findings in the PwC reports were adequately supported by comparing the\n            reports with the PwC working papers.\n\n        \xe2\x80\xa2   To report on the results of the evaluations, we aggregated the results in the individual\n            contractor evaluation reports. For the PwC evaluations, we used the number of gaps\n            listed in the individual contractor evaluation reports to aggregate the results.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from PwC. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   8\n\x0c                                   APPENDIX B: LIST OF GAPS BY\n                      FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                            CONTROL AREA AND MEDICARE CONTRACTOR\n\n                                                 Control Areas (With Impact Levels)\n                                          Security\n                                          Program\n                            Policies         and                                                Incident       Continuity\n              Periodic        and          System                    Testing of                Detection,          of\n                Risk       Procedures     Security      Security    Information                Reporting,      Operations\n             Assessments   To Reduce        Plans      Awareness      Security     Remedial       and           Planning\nMedicare      (High &         Risk       (High &        Training      Controls      Actions    Response         (High &     Total\nContractor    Medium)        (High)      Medium)       (Medium)        (High)       (High)       (High)         Medium)     Gaps\n    1             0            4              0            0             3             0            1               1         9\n    2             0            4              1            1             4             1            2               1        14\n    3             0            4              1            1             3             0            1               2        12\n    4             0            4              3            0             4             1            2               2        16\n    5             0            2              0            0             2             0            1               0         5\n    6             0            4              0            0             4             0            2               1        11\n    7             0            4              0            0             3             0            2               0         9\n    8             0            4              3            0             3             0            1               1        12\n    9             1            4              2            2             4             1            2               1        17\n   10             0            4              3            0             3             1            1               1        13\n   11             0            3              1            1             2             0            2               0         9\n\n  Total           1            41           14             5           35              4          17              10        127\n\n          Note: Impact levels for FISMA control areas were derived by PwC.\n\n\n\n\n          Review of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)           9\n\x0cAPPENDIX C: PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nContractor                  FY 2010 Gaps                       FY 2011 Gaps                 % Change\n      1                         16                                  9                         (44%)\n      2                         13                                 14                           8\n      3                         14                                 12                         (14)\n      4                         15                                 16                           7\n      5                         12                                  5                         (58)\n      6                         19                                 11                         (42)\n      7                         13                                  9                         (31)\n      8                         17                                 12                         (29)\n      9                         22                                 17                         (23)\n     10                          6                                 13                         117\n     11                         19                                  9                         (53)\n     Total                       166                               127                          (23%)\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)      10\n\x0c      APPENDIX D: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS\n      FOR FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n          CONTROL AREAS WITH THE GREATEST NUMBER OF GAPS\n\nThe \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Tables 1 through 4 on the following pages refers to the level of\nadverse impact that could result from successful exploitation of a vulnerability in any of the\nFISMA control areas. Impact can be described as high, medium, or low in light of the\norganization\xe2\x80\x99s mission and criticality and the sensitivity of the systems and data involved. PwC\nassigned a rating of high or medium impact to each of the subcategories in the agreed-upon\nprocedures developed by CMS. Individual gaps were assigned an overall risk level on a\nsubjective basis by PwC after considering the impact of the gaps and likelihood of their\noccurrence.\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   11\n\x0cPOLICIES AND PROCEDURES TO REDUCE RISK\n\nThe Medicare contractor information security program evaluations assessed seven subcategories\nrelated to policies and procedures to reduce risk. The evaluation reports identified a total of 41\ngaps in this FISMA control area.\n\n                     Table 1: Policies and Procedures To Reduce Risk Gaps\n                                                            Total No. of Gaps           Subcategory\n                        Subcategory                           in This Area              Impact Level\n       Documentation exists that outlines reducing\n 1     the risk exposure identified in periodic risk                  0                      High\n       assessments.\n       Systems security controls have been tested\n       and evaluated. The system/network\n 2                                                                    0                      High\n       boundaries have been subjected to periodic\n       reviews/audits.\n       All gaps in compliance per CMS\xe2\x80\x99s minimum\n       security requirements are identified in the\n 3                                                                    0                      High\n       results of management\xe2\x80\x99s compliance\n       checklist.\n       Security policies and procedures include\n 4     controls to address platform security                         10                      High\n       configurations and patch management.\n       The latest patches have been installed on\n 5                                                                   11                      High\n       contractor\xe2\x80\x99s systems.\n       Security settings included within internal\n 6     checklists and comply with Defense                            10                      High\n       Information Systems Agency standards.\n       Malicious software protection has been\n       installed on workstations/laptops, is up to\n 7     date, and is operating effectively, and                       10                      High\n       administrators are alerted of any malicious\n       software identified on workstations/laptops.\n        Total                                                        41\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)     12\n\x0cTESTING OF INFORMATION SECURITY CONTROLS\n\nThe Medicare contractor information security program evaluations covered seven subcategories\nrelated to the testing of information security controls. The evaluation reports identified a total of\n35 gaps in this FISMA control area.\n\n                    Table 2: Testing of Information Security Controls Gaps\n                                                        Total No. of Gaps                 Subcategory\n                        Subcategory                       in This Area                    Impact Level\n     Management reports exist for the review and\n     testing of information security policies and\n     procedures, including network risk assessments,\n 1                                                              0                              High\n     accreditations and certifications, internal and\n     external audits, security reviews, and penetration\n     and vulnerability assessments.\n     Annual reviews and audits are conducted to\n     ensure compliance with FISMA guidance from\n     the Office of Management and Budget for\n 2   reviews of security controls, including logical            8                              High\n     and physical security controls, platform\n     configuration standards, and patch management\n     controls.\n     Remedial action is being taken for issues noted in\n 3                                                              0                              High\n     audits.\n 4   Change control management procedures exist.                0                              High\n     Change control procedures are tested by\n 5                                                              5                              High\n     management to verify they are in use.\n     Systems are configured according to documented\n 6                                                             11                              High\n     security configuration checklists.\n     Weaknesses are identified by PwC during a\n 7                                                             11                              High\n     network attack and penetration test.\n       Total                                                   35\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)       13\n\x0cINCIDENT DETECTION, REPORTING, AND RESPONSE\n\nThe Medicare contractor information security program evaluations assessed five subcategories\nrelated to incident detection, reporting, and response. The evaluation reports identified a total of\n17 gaps in this FISMA control area.\n\n                                  Table 3: Incident Response Gaps\n                                                            Total No. of Gaps           Subcategory\n                      Subcategory                             in This Area              Impact Level\n    Management has a process to monitor systems\n1   and networks for unusual activity or intrusion                    0                      High\n    attempts.\n    Management has procedures to take and has\n2   taken action in response to unusual activity,                     6                      High\n    intrusion attempts, and actual intrusions.\n    Management processes and procedures include\n3   reporting of intrusion attempts and intrusions in                 0                      High\n    accordance with FISMA guidance.\n    Policies, procedures, and security configuration\n    checklists related to intrusion detection systems\n    within the network are in place, controls\n4   comply with documented security                                   0                      High\n    configuration checklists, and there is a process\n    for monitoring intrusion detection system\n    alerts.\n    Log management procedures have been\n    developed and implemented for specific\n5                                                                    11                      High\n    platforms, and intrusion detection systems have\n    been properly placed and configured.\n      Total                                                           17\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)     14\n\x0cSECURITY PROGRAM AND SYSTEM SECURITY PLANS\n\nThe Medicare contractor information security program evaluations assessed 11 subcategories\nrelated to security program and system security plans. The evaluation reports identified a total of\n14 gaps in this FISMA control area.\n\n                  Table 4: Security Program and System Security Plan Gaps\n                                                        Total No. of\n                                                        Gaps in This     Subcategory\n                         Subcategory                       Area         Impact Level\n 1    A security plan is documented and approved.             0             High\n 2    The security plan is kept current.                      4            Medium\n      A security management structure has been\n 3                                                            0             High\n      established.\n      Information security responsibilities are clearly\n 4                                                            0             High\n      assigned.\n 5    Owners and users are aware of security policies.        0             High\n      Hiring, transfer, termination, and performance\n 6                                                            2             High\n      policies address security.\n 7    Employee background checks are performed.               2            Medium\n      Security employees have adequate security\n 8                                                            0            Medium\n      training and background.\n      Management has documented that it\n      periodically assesses the appropriateness of\n 9    security policies and compliance with them,             3             High\n      including testing of security policies and\n      procedures.\n      Management ensures that corrective actions are\n10                                                            0            Medium\n      effectively implemented.\n      Hired, transferred, and terminated employees\n11    have their access properly added, changed, or           3            Medium\n      removed.\n        Total                                               14\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-30100)   15\n\x0c                                           APPENDIX E: CMS COMMENTS \n\n\n\n      /,P.\'IilieQ\'\n            ~\n  (\n      ,-sz\'\xc2\xad          DEPARTMENT OF HEALTH & HUMAN SERVICES                                     Centers t or Medicare & Medicaid Services\n\n\n                                                                                                Administrator\n                                                                                                Washington. DC 20201\n\n\n\n\n                     DATE:            NOV 18 2913\n\n\n                     TO:            Daniel R . Levinson\n                                    Inspector General\n\n                     FROM:\n                                                  r\n\n                     SUBJECT: \t Office of Inspector Genera l\'s (OIG) Draft Report: "Review of Medicare\n                                Contractor Information Security Program Evaluations for Fiscal Year 2011 "\n                                (A-18-13-30 I 00)\n\n                     The Medicare Prescription Drug, Improvement, and Modernization Act of2003 amended section\n                     1874A of the Social Security Act. The modification added informat ion sec urity requirements for\n                     Medicare administrative contractors (MACs), fiscal intermediaries and carriers, which process\n                     and pay Medicare fee-for-service claims. To comply with these requirements, CMS contracted\n                     with PricewaterhouseCoopers (PwC) to eva luate information sec urity programs at the MACs,\n                     fiscal intermediaries and carriers using a se t of agreed-upon procedures. The objective of the\n                     review was to assess the scope and sufficiency of Medicare contractor information sec urity\n                     program evaluations and report the results of those evaluations.\n\n                     The Social Security Act also requires evaluations of the information securi ty controls for a subset\n                     of systems but does not specify the criteria for these evaluations. To satisfy this requirement,\n                     CMS expanded the scope of its eval uations to test segments of the Medicare claims processi ng\n                     system s hosted at the Medicare data centers, which s upport eac h of the MACs, fiscal\n                     intermediaries and carriers. The CMS offers no add itional comments to submit.\n\n                     The CMS thanks the O IG for their efforts on this issue and look s forward to working with OIG\n                     on this and other issues in the future.\n\n\n\n\nReview ofMedicare Contractor Information Security Program Evaluations for FY 2011 (A-18-13-301 00)                                          16\n\x0c'